php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #75241 Null pointer dereference in zend_mm_alloc_small()
Submitted: 2017-09-21 08:40 UTC Modified: -
From: fumfi dot 255 at gmail dot com Assigned:
Status: Closed Package: *General Issues
PHP Version: 7.1.9 OS: Ubuntu 16.04 x64
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: fumfi dot 255 at gmail dot com
New email:
PHP Version: OS:

 

 [2017-09-21 08:40 UTC] fumfi dot 255 at gmail dot com 
Description:
------------
After some fuzz testing I found a crashing test case.

Version: 7.18

Command: php php_nullptr_zend_mm_alloc_small.php

ASAN:

==22121==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000016aab11 bp 0x0fe6bf7c0010 sp 0x7fff4f0ba340 T0)
==22121==The signal is caused by a READ memory access.
==22121==Hint: address points to the zero page.
    #0 0x16aab10 in zend_mm_alloc_small XYZ/php-7.1.8/Zend/zend_alloc.c:1261:33
    #1 0x16aab10 in zend_mm_alloc_heap XYZ/php-7.1.8/Zend/zend_alloc.c:1332
    #2 0x16aab10 in _emalloc XYZ/php-7.1.8/Zend/zend_alloc.c:2417
    #3 0x198bde8 in zend_string_alloc XYZ/php-7.1.8/Zend/zend_string.h:122:36
    #4 0x198bde8 in ZEND_CONCAT_SPEC_TMPVAR_CONST_HANDLER XYZ/php-7.1.8/Zend/zend_vm_execute.h:52084
    #5 0x196fb4d in execute_ex XYZ/php-7.1.8/Zend/zend_vm_execute.h:432:7
    #6 0x176fb4c in zend_call_function XYZ/php-7.1.8/Zend/zend_execute_API.c:855:3
    #7 0x176d73d in _call_user_function_ex XYZ/php-7.1.8/Zend/zend_execute_API.c:672:9
    #8 0x17d018f in zend_error_noreturn XYZ/php-7.1.8/Zend/zend.c:1254:8
    #9 0x1b111c5 in ZEND_ASSIGN_OBJ_SPEC_VAR_CONST_OP_DATA_CONST_HANDLER XYZ/php-7.1.8/Zend/zend_vm_execute.h:18801:5
    #10 0x196fb4d in execute_ex XYZ/php-7.1.8/Zend/zend_vm_execute.h:432:7
    #11 0x1970b2b in zend_execute XYZ/php-7.1.8/Zend/zend_vm_execute.h:474:2
    #12 0x17d2629 in zend_execute_scripts XYZ/php-7.1.8/Zend/zend.c:1476:4
    #13 0x156a812 in php_execute_script XYZ/php-7.1.8/main/main.c:2537:14
    #14 0x1c4506d in do_cli XYZ/php-7.1.8/sapi/cli/php_cli.c:993:5
    #15 0x1c418e5 in main XYZ/php-7.1.8/sapi/cli/php_cli.c:1381:18
    #16 0x7f360124682f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #17 0x43ac28 in _start (/usr/local/bin/php+0x43ac28)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV XYZ/php-7.1.8/Zend/zend_alloc.c:1261:33 in zend_mm_alloc_small
==22121==ABORTING



Test script:
---------------
<?php
function eh(){e."0000000";}set_error_handler('eh');$d->d=&$d+$d->d/=0?><?$$d->b=0;

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-09-24 09:25 UTC] laruence@php.net 
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b05ff14a9aa8fd98eea9cbeb090f9d64bf302561
Log: Fixed bug #75241 (Null pointer dereference in zend_mm_alloc_small()).
 [2017-09-24 09:25 UTC] laruence@php.net
-Status: Open +Status: Closed
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 15:01:30 2024 UTC